Only the German version of the privacy statement shall be legally binding, the English translation serves information purposes only.
Name of the service
ELBUS (Electronic Lab Book at the University of Stuttgart)
1. Responsible in terms of data protection law
University of Stuttgart
Keplerstraße 7
70174 Stuttgart
Germany
Tel: +49 711/685-0
E-Mail: poststelle@uni-stuttgart.de
2. Data protection officer
University of Stuttgart
Data protection officer
Breitscheidstr. 2
70174 Stuttgart
Phone: +49 711 685-83687
Fax: +49 711 685-83688
E-Mail: datenschutz@uni-stuttgart.de
3. Notes
This information on data protection (data protection declaration) refers to the ELBUS service of the University of Stuttgart, which is provided under the following domains:
The servers are provided and administered by the Technical Information and Communication Services (TIK) of the Information and Communication Center of the University of Stuttgart. The Research Data Competence Center FoKUS, as part of the Information and Communication Center Stuttgart (IZUS), is responsible for the content.
4. Processing of personal data
The personal data described in this section is collected, stored and/or processed.
- Account data
- Process metadata, further metadata and research data
- Log files
- Cookies
4.0. Account
4.0.1 Description and categories of data
An account is required to use ELBUS. The prerequisite for creating such an account is authentication via an authentication server (IDP) using Shibboleth® by the University of Stuttgart. When you first log in to ELBUS, an account is created that takes the following information from the authentication server (IDP):
The following is also stored:
- Assignment of a user to one or more teams
- ORCID ID, if this has been added to the user's own account by the user (optional)
4.0.2 Purpose
The account information is used to assign rights and roles. It is also used to provide information to users and to secure the IT infrastructure.
4.0.3 Legal basis
The use of ELBUS is voluntary for all users. The legal basis for the processing is then Art. 6 para. 1 lit. a DS-GVO.
4.0.4 Disclosure
Account information (first and last name, e-mail address and, if applicable, user ID) is provided to administrators and system administrators for the purpose of managing user accounts and assigning rights and roles. Members of a team can see the first and last names and email addresses of all other team members.
The available data (first and last names, email addresses) will only be passed on to the competent authorities at the request of the competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.
4.0.5 Duration of storage
Existing accounts will be deleted upon request if no more data associated with them is contained in ELBUS. If the accounts are used in connection with the versioning of published data or audit trails, they cannot be deleted until the associated data itself is deleted. As a rule, this will only happen after 10 years at the earliest.
4.1 Process metadata, meta and research data
4.1.1 Description and categories of data
When using ELBUS, user activities are recorded (Process metadata) and linked to the user account. The following information is potentially visible and searchable for other users via ELBUS:
- First name and surname of the owner of an experiment, resource or resource booking
- First name and surname of each person who makes changes to an experiment, a resource or a resource booking or creates revisions
Users can also add further data - potentially including personal data - in the form of metadata or attached research data in the experiment descriptions. In this case, users themselves are responsible for taking sufficient additional measures to ensure that this data is protected from access by unauthorized persons.
4.1.2 Purpose
The collection of Process metadata, further metadata and research data serves to fulfill the documentation requirement in accordance with good scientific practice and, if applicable, in accordance with further legal requirements.
4.1.3 Legal basis
The legal basis for the processing is Art. 6 para. 1 lit. c DS-GVO.
4.1.4 Disclosure
Process metadata, further personal metadata and research data may be passed on to prove research performance in the sense of good scientific practice in the context of procedures for suspected scientific misconduct within the Universität Stuttgart and, if necessary, to other investigating authorities or bodies.
4.1.5 Duration of storage
Process metadata, further metadata and research data are stored for at least 10 years as part of the documentation requirement in the sense of good scientific practice.
4.2 Provision of the website and creation of log files
4.2.1 Description and categories of data
When ELBUS websites are accessed, data is transmitted to our web server via the browser. This also applies to the retrieval of API endpoints. The following data is temporarily recorded as a log entry during an active connection:
- IP address of the requesting computer
- Date and time of access
- Name, URL and transferred data volume of the retrieved file
- Access status (requested file transferred, not found, etc.)
- Browser type and operating system (if transmitted by the requesting web browser)
- Website from which access was made (if transmitted by the requesting web browser)
The data is processed as follows:
- The log entries are continuously and automatically evaluated in order to detect attacks on the web servers and to be able to react accordingly.
- In individual cases, i.e. in the event of reported malfunctions, errors and security incidents, a manual analysis is carried out.
- The log entries are merged with the network identification data.
- The merged log entries are only analyzed when necessary.
In addition, the date and time stamp, IP address + port (source), IP address + port (destination) and packet size are logged on the active network components of the University of Stuttgart when websites are accessed.
4.2.2 Purpose
The temporary storage of the IP address by the system is necessary to enable the website to be delivered to the user's computer. To do this, the user's IP address must be stored for the duration of the session. The log entries are stored to ensure the functionality of the website. In addition, the data helps us to optimize the website and ensure the security of our information technology systems. The merged log entries and the logging on active network components also serve to ensure the security of the information technology systems. These purposes also constitute our legitimate interest in data processing in accordance with Article 6(1)(f) of the GDPR.
4.2.3 Legal basis
The legal basis for the temporary storage of data and log entries is Article 6(1)(f) of the GDPR.
4.2.4 Disclosure
If investigative measures are initiated due to attacks on our information technology systems, the data and log entries mentioned in 4.2.1. may be passed on to state investigative bodies (e.g. police, public prosecutor's office). The same applies if the University receives inquiries from the relevant authorities and/or courts and is obliged to comply with them.
4.2.5 Duration of storage
The data will be deleted as soon as it is no longer required for the purpose for which it was collected. In the case of data collection for the provision of the website, this is the case when the respective session has ended. The merged log entries will be deleted after 7 days at the latest.
4.2.6 Consequences of non-disclosure, right to object or right of removal
The collection of data for the provision of the website and the storage of data in log entries is essential for the operation of the website. Users who do not want their data to be processed as described cannot use the university's services.
4.3 Use of cookies
4.3.1 Description and categories of data
The ELBUS websites use cookies to assign consecutive page views to a coherent session after a login (session cookie). Cookies are text files that are stored in or by the browser on the user's computer system. This cookie contains a characteristic string that enables a unique identification of the browser when the website is accessed again. When a user visits a website, a cookie may be stored on the user's operating system.
4.3.2 Purpose
Most of the functions of the ELBUS websites cannot be offered without the use of cookies, in particular all functions that require authentication with an account. For these, it is necessary that the browser is recognized even after a page change.
The user data collected by technically necessary cookies are not used to create user profiles.
These purposes also constitute our legitimate interest in the processing of personal data in accordance with Art. 6 (1) point f GDPR.
4.3.3. Legal basis
The legal basis for the processing of personal data using cookies is Art. 6 (1) point f GDPR.
4.3.4 Disclosure
The information contained in the cookies is received only by the authorized web server, i.e. the University web server that sets the cookie.
4.3.5 Duration of storage
Session cookies are automatically deleted from the computer when the browser is closed. Since the cookies are stored on the respective end device, users also have the option of deleting them earlier. For more details, see the following point.
4.3.6. Consequences of not providing information, right to object and right to erasure
Cookies are stored on the user's computer and transmitted to our site from there. Therefore, users also have full control over the use of cookies, regardless of the storage periods listed above. By changing the settings in the browser, the transmission of cookies can be disabled or restricted. Cookies that have already been saved can be deleted at any time. This can also be done automatically. If cookies are disabled for the ELBUS websites, it is possible that not all functions of the website can be used to their full extent.
5. Your rights
- You have the right to request information from the university about the data stored about you and/or to have incorrectly stored data corrected.
- You also have the right to request the deletion or restriction of the processing of your data, or to object to the processing.
To do so, please contact the data protection officer at the University of Stuttgart: datenschutz@uni-stuttgart.de
- You have the right to lodge a complaint with the supervisory authority if you believe that the processing of your personal data violates the law.
The responsible supervisory authority is the State Commissioner for Data Protection and Freedom of Information for Baden-Württemberg.
6. Privacy Code of Conduct
Your personal data is protected by the Code of Conduct for Service Providers, a general standard in the research and higher education sector to protect your privacy.